9

It works if and only if the user is signed into LinkedIn at the time of making the OAuth2 request.

If the user is not signed in then we encounter an error.

Sequence of our actions:

  • successfully fetch the fresh access token
  • using the access token, post to the api endpoint https://api.linkedin.com/v1/people/\~

After this we receive a 401 with the following content:

{
  "errorCode": 0,
  "message": "Unable to verify access token",
  "requestId": "C0DUCX81SA",
  "status": 401,
  "timestamp": 1421946470523
}

Sometimes, after some time passed, a retry with the same Access Token gives a 200. Sometimes not.

If the user logs in to LinkedIn during this "401 period" then magically the previously fetched access token starts to work.

I am at a loss how to solve this, as it seems to be an issue at LinkedIn.

Has anybody any suggestions or did anybody see this behavior before?

We tried cookie settings, wait periods before our request etc.

We are adding LinkedIn OAuth2 authentication to Zotonic [1], but are now stuck with a non-working module.

[1] http://zotonic.com/

Edit:

Someone referred to two discussions at LinkedIn. His reply now regretfully disappeared from the discussion below.

These are the links:

https://developer.linkedin.com/forum/unable-verify-access-token

https://developer.linkedin.com/forum/unauthorized-invalid-or-expired-token-immediately-after-receiving-oauth2-token

I have tried all suggestions in these discussions, to no avail.

Edit #2:

Checking the first discussion at LinkedIn shows that I am not the only one having these consistency issues. Something at LinkedIn is going wrong if the user has cleared cookies or has to sign in to LinkedIn during the OAuth "dance" https://developer.linkedin.com/forum/unable-verify-access-token#comment-36950

Update

Solved, thanks to Matthijs Bierman, see answers below.

Marc Worrell
  • 426
  • 1
  • 3
  • 8

10 Answers10

21

For me the https://api.linkedin.com/v1/people/~?format=json&oauth2_access_token=[accessToken] didn't work.

Adding reguest header

Authorization: Bearer [accessToken]

didn't work until I went through linked in sdk and tested and found out that they also require you to add request header

x-li-src: msdk

With those two headers the call https://api.linkedin.com/v1/people/~?format=json worked.

Hopefully Linkedin fixes this undocumented requirement soon...

Groosa
  • 291
  • 2
  • 8
6

We talked on the phone, turns out you're running into the same problem as here. LinkedIn doesn't accept the Authentication header and expects a request parameter: oauth2_access_token.

Matthijs Bierman
  • 1,667
  • 9
  • 14
  • 2
    Indeed the problem is similar. It seems there is different handling for the Authorization header and the access token query argument. Confusing that the LinkedIn examples use the Authorization header. – Marc Worrell Jan 29 '15 at 22:05
  • I'm trying this in 2017 and it doesn't work anymore. I've tried as the docs say (https://developer.linkedin.com/docs/oauth2), using Authorization: Bearer {access_token} and query with oauth2_access_token={access_token), both with no success. after some minutes though, this works. anyone have more info? It seems like an eventual consistency on their side. – mwm Sep 20 '17 at 14:31
  • @mwm can you help me to resolve same issue with getting access token. sharing my question post https://stackoverflow.com/questions/52501144/unable-to-get-access-token-linkedin-oauth – Prasanna Sep 26 '18 at 05:30
5

AccessToken from mobile SDK gives this error:

You will not face any issue with accessTokens generated using web OAuth 2.0 protocol. This problem occur only with mobile(iOS/Android) SDK, when the accessToken is used by back-end to fetch user details.

Solution: provide below 2 headers

  1. Authorization
  2. x-li-src (skip for web)

for example:

Url: https://api.linkedin.com/v1/people/~?format=json

Header(s):

Authorization: Bearer AQVYqTNB3bFRAIatBcp4hM1r-......

x-li-src:  msdk

Note:

If AccessToken is generated using OAuth 2.0, you can use the same above api by removing just the second header(x-li-src) .

PANKAJ VERMA
  • 3,090
  • 1
  • 14
  • 14
3

Same here, every time I was getting new access_token I had to wait couple minutes until it was valid. This was unacceptable.

I took a look how different sites do the SignIn with LinkedIn and here is a solution that worked for me.

When exchanging AUTH_CODE in order to get ACCESS_TOKEN use GET method instead of POST, eg:

GET https://www.linkedin.com/oauth/v2/accessToken?client_id=yourClientId&client_secret=yourClientSecret&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2FlinkedInLogin&code=AQQGx11-p1uaQWz2YBWHBcskaGrVrEDeFUo4O2vjolFaKaQ89UhGlR27_yDACNLoxDmYi7AR5sCplwsHLD_ERAVsscFozo-qRl032aFnj2UcUoPjCfo

Grails integration with LinkedIn OAuth2 example: https://github.com/rgrebski/samples/tree/master/grails-linkedin-integration

rgrebski
  • 1,728
  • 17
  • 23
2

With the help of Matthijs Bierman we found a fix for our problem.

We authenticated with an Authorization: Bearer .... header. If we use a oauth2_access_token query argument instead then it works in both the use cases with and without a signed-in LinkedIn user.

Conclusion: don't use the Authorization header and use the oauth2_access_token query argument instead.

Marc Worrell
  • 426
  • 1
  • 3
  • 8
1

I am seeing this same problem; however, the query param is not working for me.

It is characterized just as the question described: 1) I have a valid token 2) The user is logged out of linkedin 3) The request for the user profile fails 4) Wait five minutes and it succeeds

You can see my request/response below:

$ curl -v  "https://api.linkedin.com/v1/people/~?format=json&oauth2_access_token=$LI_AT"
* Hostname was NOT found in DNS cache
*   Trying 108.174.10.12...
* Connected to api.linkedin.com (108.174.10.12) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: tablet.linkedin.com
* Server certificate: DigiCert SHA2 Secure Server CA
* Server certificate: DigiCert Global Root CA
> GET /v1/people/~?format=json&oauth2_access_token=[**obscurred for security sake**] HTTP/1.1
> User-Agent: curl/7.37.1
> Host: api.linkedin.com
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
* Server Apache-Coyote/1.1 is not blacklisted
< Server: Apache-Coyote/1.1
< x-li-request-id: LZ2X5Y9DCC
< Date: Thu, 20 Aug 2015 16:12:52 GMT
< Vary: *
< x-li-format: json
< Content-Type: application/json;charset=UTF-8
< Content-Length: 142
< X-Li-Fabric: prod-ltx1
< Connection: keep-alive
< X-Li-Pop: prod-lva1
< X-LI-UUID: lS7xYKc3/BNAj0nmNSsAAA==
< Set-Cookie: lidc="b=TB76:g=111:u=47:i=1440087172:t=1440094069:s=AQHPHzjyg93X3bnT8KuNvThuwQo5buSS"; Expires=Thu, 20 Aug 2015 18:07:49 GMT; domain=.linkedin.com; Path=/
< 
{
  "errorCode": 0,
  "message": "Unable to verify access token",
  "requestId": "LZ2X5Y9DCC",
  "status": 401,
  "timestamp": 1440087172914
* Connection #0 to host api.linkedin.com left intact
}
Judah Anthony
  • 111
  • 1
  • 4
  • 1
    You're generating a new token when you make a request to linkedin. If you try to use the old token you'll fail out – asgaines Aug 21 '15 at 18:08
  • The thing is I'm not generating a new token. In addition, sometimes the new token only fails for around 30 seconds, then it starts working; however, 30 seconds for a login is un acceptable. – Judah Anthony Aug 24 '15 at 13:30
1

I tried all above solutions, but didn't work with me. I changed my url from 

https://www.linkedin.com/oauth/v2/

to 

https://www.linkedin.com/uas/oauth2/

it worked properly.

Luong Dinh
  • 539
  • 4
  • 14
0

The authenticated state of the user on LinkedIn.com (whether or not they're logged in) doesn't have an affect on a valid OAuth access token. In other words, the user can log out of LinkedIn.com and that token should still work until it's either revoked or expired.

Is there a possibility that you're generating a new token? That would render the previous one invalid. That error message you've shared is usually caused when a token has been refreshed and you're making an API call with the previous token

Kamyar Mohager
  • 699
  • 3
  • 10
  • Hi Kamyar, I am following the steps at https://developer.linkedin.com/documents/authentication Which is giving me a new access token every time the user authenticates against LinkedIn. The difference between being signed in into LinkedIn and not has been observed by three different people with different browsers. The moment we get an OAuth dialog where we have to fill in email/password at LinkedIn then we will get the above errors. I have also used curl alongside our system to check if there is not a persistent connection issue. – Marc Worrell Jan 23 '15 at 07:52
  • Kamyar, do you have any suggestions that we might try? At the moment we had to mail all our customers and members that we can't use LinkedIn authentication because of the mentioned problems with the LinkedIn OAuth2 process. – Marc Worrell Jan 27 '15 at 09:58
  • @MarcWorrell can you help me to resolve same issue with getting access token. sharing my question post https://stackoverflow.com/questions/52501144/unable-to-get-access-token-linkedin-oauth – Prasanna Sep 26 '18 at 05:30
  • @PrasannaSasne I see that you solved your problem by adding CORS headers. Good to know you got it working as well. – Marc Worrell Sep 27 '18 at 10:18
0

None of the above worked for me. Anyone knows if there is a solution for that? sometimes its working and sometimes not without any change of code.

Omtechguy
  • 2,562
  • 3
  • 28
  • 58
0

https://api.linkedin.com/v1/people/~?format=json&oauth2_access_token=<token>

By default, it's return response in XML, adding format=json.

Ganesh K
  • 599
  • 9
  • 16